git: f64a688dfda9 - main - Remove gratuitous copyouts of unchanged struct mac.

From: Brooks Davis <brooks_at_FreeBSD.org>
Date: Mon, 13 Nov 2023 21:33:11 UTC
The branch main has been updated by brooks:

URL: https://cgit.FreeBSD.org/src/commit/?id=f64a688dfda9d664c03ba67dab27dd6c7e10784d

commit f64a688dfda9d664c03ba67dab27dd6c7e10784d
Author:     Brooks Davis <brooks@FreeBSD.org>
AuthorDate: 2023-11-13 21:32:15 +0000
Commit:     Brooks Davis <brooks@FreeBSD.org>
CommitDate: 2023-11-13 21:32:15 +0000

    Remove gratuitous copyouts of unchanged struct mac.
    
    The get operations change the data pointed to by the structure, but do
    not update the contents of the struct.
    
    Mark the struct mac arguments of mac_[gs]etsockopt_*label() and
    mac_check_structmac_consistent() const to prevent this from changing
    in the future.
    
    Reviewed by:    markj
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D14488
---
 sys/kern/uipc_socket.c           | 4 ++--
 sys/security/mac/mac_framework.c | 3 +--
 sys/security/mac/mac_framework.h | 6 +++---
 sys/security/mac/mac_internal.h  | 2 +-
 sys/security/mac/mac_socket.c    | 8 +++++---
 5 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c
index 880dec89245b..0ddcf0409cb0 100644
--- a/sys/kern/uipc_socket.c
+++ b/sys/kern/uipc_socket.c
@@ -3442,7 +3442,7 @@ integer:
 			    so, &extmac);
 			if (error)
 				goto bad;
-			error = sooptcopyout(sopt, &extmac, sizeof extmac);
+			/* Don't copy out extmac, it is unchanged. */
 #else
 			error = EOPNOTSUPP;
 #endif
@@ -3458,7 +3458,7 @@ integer:
 			    sopt->sopt_td->td_ucred, so, &extmac);
 			if (error)
 				goto bad;
-			error = sooptcopyout(sopt, &extmac, sizeof extmac);
+			/* Don't copy out extmac, it is unchanged. */
 #else
 			error = EOPNOTSUPP;
 #endif
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index 8f1aa37d45b3..682f05c6979f 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -725,9 +725,8 @@ mac_error_select(int error1, int error2)
 }
 
 int
-mac_check_structmac_consistent(struct mac *mac)
+mac_check_structmac_consistent(const struct mac *mac)
 {
-
 	/* Require that labels have a non-zero length. */
 	if (mac->m_buflen > MAC_MAX_LABEL_BUF_LEN ||
 	    mac->m_buflen <= sizeof(""))
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 644028bde478..c69b9cd64454 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -408,11 +408,11 @@ void	mac_socket_destroy(struct socket *);
 int	mac_socket_init(struct socket *, int);
 void	mac_socket_newconn(struct socket *oldso, struct socket *newso);
 int	mac_getsockopt_label(struct ucred *cred, struct socket *so,
-	    struct mac *extmac);
+	    const struct mac *extmac);
 int	mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so,
-	    struct mac *extmac);
+	    const struct mac *extmac);
 int	mac_setsockopt_label(struct ucred *cred, struct socket *so,
-	    struct mac *extmac);
+	    const struct mac *extmac);
 
 void	mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so);
 void	mac_socketpeer_set_from_socket(struct socket *oldso,
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index d1ee1af09c0b..aa407598600a 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -210,7 +210,7 @@ void		 mac_labelzone_init(void);
 
 void	mac_init_label(struct label *label);
 void	mac_destroy_label(struct label *label);
-int	mac_check_structmac_consistent(struct mac *mac);
+int	mac_check_structmac_consistent(const struct mac *mac);
 int	mac_allocate_slot(void);
 
 /*
diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c
index be1363024657..e9f94404734a 100644
--- a/sys/security/mac/mac_socket.c
+++ b/sys/security/mac/mac_socket.c
@@ -521,7 +521,8 @@ mac_socket_label_set(struct ucred *cred, struct socket *so,
 }
 
 int
-mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac)
+mac_setsockopt_label(struct ucred *cred, struct socket *so,
+    const struct mac *mac)
 {
 	struct label *intlabel;
 	char *buffer;
@@ -554,7 +555,8 @@ out:
 }
 
 int
-mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac)
+mac_getsockopt_label(struct ucred *cred, struct socket *so,
+    const struct mac *mac)
 {
 	char *buffer, *elements;
 	struct label *intlabel;
@@ -593,7 +595,7 @@ mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac)
 
 int
 mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so,
-    struct mac *mac)
+    const struct mac *mac)
 {
 	char *elements, *buffer;
 	struct label *intlabel;